The Importance of Cyber Security for Law Firms

By: Teresa Lo

Summary: Are you placing enough importance on cyber security in your law firm? Find out what you should be doing and why it’s so important in this article.

In late June of this year, global law firm DLA Piper was a victim of a vicious international cyber-attack. Hackers infected the law firm’s computer system with ransomware, and for days, the firm’s communication functions were inoperable. Ironically, before the attack, the BigLaw firm had touted its expertise in cybersecurity, and after DLA Piper was hit, many in the industry wondered—Could we be next?

The answer is simple—yes. Anyone who has a computer and goes online is at risk for being attacked, and this includes big law firms, small firms, and individuals. While it is evident that anyone is at risk, the solution of how to prevent cyberattacks and deal with them is more complicated. Yet, strangely, even seeing the news of high-profile cyberattacks has not persuaded some companies to invest in top-notch cyber security. This, of course, is a mistake; and law firms should immediately build defenses to protect their systems.

What Kinds of Cyber Threats Do Law Firms Face?

Law firms are targets of hackers because they store valuable digital assets and have a reputation for deep pockets. Those who wish to do harm could have motivations that are financial or just plain destructive; and to carry out their means, hackers usually use various forms of malware, which include ransomware, viruses, and worms.

Common threats include the following:

Malware: Software that is intended to damage or disable computer systems or individual machines. It’s a contraction of the words “malicious software,” and it refers to things such as viruses, Trojan horses, spyware, etc.

Ransomware: This type of malware locks down a computer and threatens to shut down the system unless a ransom is paid. This is what infected the DLA Piper system in June of 2017.

Worms: A worm is a type of malware that replicates itself in order to spread to multiple computers. It is different from a virus in the fact that it can stand alone. A virus, on the other hand, needs to latch onto a host to work.

Trojans: This type of malware discretely creates backdoors which allows hackers or other malware to enter your system. It was named after the Greek Trojan Horse, which refers to what appears to be a gift but is actually a deadly surprise.

Spyware: Just as the name suggests, spyware is software used to spy on you. This includes recording your key strokes to learn your passwords or secretly using your camera to watch you.

Why Are Law Firms Not Focusing on Cyber Security?

The attack on DLA Piper was part of an international hack that started in Ukraine, and several major organizations were hit such as shipping conglomerate Maersk and the Ukrainian government. While those organizations or similar have hundreds or even thousands of employees, small companies are at risk too.

Jessica Mazzeo and Fran Griesing told ABA Journal that their 12-person law firm was infected by malware in July of 2016. An employee had opened an infected attachment, and the malware began infecting that individual’s computer as well as every other computer at the firm. Immediately, the company called their outsourced information technology provider, Micro Systems, who was able to take down the network, run anti-virus software, and wipe the infected hard drive before any problems actually occurred.

Mazzeo and Griesing’s incident was thankfully not dramatic, but it did wake up the company. After the threat, the firm implemented preventative practices and invested in cyber security software such as Workshare and Trend Micro.

Based on these real-life horror stories, it is amazing that firms of all sizes still continue to risk their systems by not focusing on cyber security. But why is this? According to ABA Journal, the reason is money. It is expensive to hire cyber security professionals and implement practices, and law firms are rightly hesitant to pass those costs onto their clients.

Law Firms Need a Comprehensive Security Program

Despite money being a legitimate concern, when it comes to cyber security, firms cannot afford to be cheap in this aspect. Law firms’ livelihood is based on documents and keeping those documents safe, and to have anyone breach that data can mean a world of negative consequences. Furthermore, having an infected system that shuts down phones and emails is crippling for a firm that needs to interact with clients and the court system. Although DLA Piper bounced back from their cyberattack, it still caused them a delay in doing business and affected their reputation.

Additionally, clients demand to know that their information is safe, and law firms should suck up the expense and provide clients with the feeling that it is. A survey from the American Bar Association found that 30.7% of all law firms and 62.8% of BigLaw firms reported that clients provided them with security requirements in order to land their business.

Because clients will balk at a company that is not secure, law firms must commit to making security a priority, even if they don’t want to.

“Law firms are at the intersection of two significant threat trends,” Luke Dembosky, a cybersecurity and litigation partner at Debevoise & Plimpton told ABA Journal. “First, as vendors, law firms are attractive targets. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems. Second, law firms are seen ... as high-value targets for the rapidly growing use of ‘ransomware’ and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.”

Law firms that are ready to protect themselves from cyber risks should first hire a chief information security officer and give him or her the tools to succeed, according to the American Bar Association. Those tools include a budget that allows them to hire enough staff to build and maintain a security program that will allow them to protect a law firm’s data. Parts of this security program could include conducting third-party security scans, developing security policies and procedures, and using encryption on all devices.

Jim Koening of Fenwick’s in New York told Bloomberg Big Law Business that law firms should implement a comprehensive security program and create an incident response plan.

“Law firms, like most companies, should implement a comprehensive information security and cyber program. Patching and anti-phishing training are two essential elements of the program as many of the recent catastrophic cyber attacks can be linked back to failures in these two areas,” Koening said. “Companies (and law firms) should also have and follow an incident response plan to make informed decisions about the veracity and seriousness of a ransomware threat. Some ransomware is copycat false threats, while others have catastrophic consequences. Increasingly, companies are practicing their ransomware and cyber decision-making in advance with tabletop cyber wargame simulations.”

The American Bar Association said that management must also resist the urge to be hands off in the cyber security decision-making process.

“Technical staff will manage most of these [security] activities, but firm partners and staff need to provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from critical activities; receiving regular reports on intrusions, system usage and compliance with policies and procedures; and reviewing the security plans and budget,” The American Bar Association advised.

As the attack on DLA Piper proved, no law firm is safe from cyber threats. If an incident does happen, firms must have a plan of response, which includes who to notify, what data to keep, and who has the power to make decisions.

“Law firms, like any other business, are subject to breach notification laws, and many of them have pre-breach security program requirements,” The American Bar Association stated. “A firm will be in a far superior position with its clients, its state bar and any regulators that may become involved if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.”

John Reed Stark, the former chief of the Securities and Exchange Commission’s Office of Internet Enforcement, told ABA Journal that the first moments of a cyber-attack are the most critical so a best practice is to have a cyber threat plan ready before an incident.

“When a cyberattack happens, time is too often lost on getting organized and figuring out who to call, what to do first and so on,” Stark said. “Yet the first minutes after a breach are crucial, and a lot of important tasks must begin immediately. The reality is that there are very few bona fide data breach response firms, so finding the right response team can be a real challenge. The best practice is to develop key cybersecurity relationships beforehand, for example, master-service agreements, which many cybersecurity firms are willing to sign. The key is to get all the contract procurement done before the cyberattack or go a bit further and engage a cybersecurity firm to do a minor cybersecurity assessment and build a relationship that works.”

Conclusion

There is no way that lawyers can work without emails and digital data, and their information is precious and therefore a target for cyber threats. All law firms, ranging from sole proprietorships to firms with thousands of attorneys, must take cyber security seriously and protect their systems as well as create a plan in case of an emergency.